UBUNTU-CVE-2026-40997

Source
https://ubuntu.com/security/CVE-2026-40997
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40997.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-40997
Upstream
  • CVE-2026-40997
Published
2026-06-11T07:16:00Z
Modified
2026-06-17T04:28:51Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

References

Affected packages

Ubuntu:16.04:LTS
spring

Package

Name
spring
Purl
pkg:deb/ubuntu/spring?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

100.*
100.0+dfsg-2
100.0+dfsg-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "100.0+dfsg-2build1"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "100.0+dfsg-2build1"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "100.0+dfsg-2build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40997.json"
Ubuntu:18.04:LTS
spring

Package

Name
spring
Purl
pkg:deb/ubuntu/spring?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

103.*
103.0+dfsg2-1
103.0+dfsg2-1build1
104.*
104.0+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "104.0+dfsg-2"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "104.0+dfsg-2"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "104.0+dfsg-2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40997.json"
Ubuntu:20.04:LTS
spring

Package

Name
spring
Purl
pkg:deb/ubuntu/spring?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

104.*
104.0+dfsg-3build2
104.0+dfsg-4ubuntu1
104.0+dfsg-4ubuntu2
104.0+dfsg-4ubuntu5
104.0+dfsg-4ubuntu6
104.0+dfsg-4ubuntu7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "104.0+dfsg-4ubuntu7"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "104.0+dfsg-4ubuntu7"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "104.0+dfsg-4ubuntu7"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40997.json"
Ubuntu:22.04:LTS
spring

Package

Name
spring
Purl
pkg:deb/ubuntu/spring?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

105.*
105.0.1+dfsg-2
105.0.1+dfsg-3ubuntu1
105.0.1+dfsg-3ubuntu2
105.0.1+dfsg-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "105.0.1+dfsg-4"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "105.0.1+dfsg-4"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "105.0.1+dfsg-4"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40997.json"
Ubuntu:24.04:LTS
spring

Package

Name
spring
Purl
pkg:deb/ubuntu/spring?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

106.*
106.0+dfsg-2
106.0+dfsg-3
106.0+dfsg-3build2
106.0+dfsg-3build3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "106.0+dfsg-3build3"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "106.0+dfsg-3build3"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "106.0+dfsg-3build3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40997.json"
Ubuntu:25.10
spring

Package

Name
spring
Purl
pkg:deb/ubuntu/spring?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

106.*
106.0+dfsg-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "106.0+dfsg-4"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "106.0+dfsg-4"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "106.0+dfsg-4"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40997.json"
Ubuntu:26.04:LTS
spring

Package

Name
spring
Purl
pkg:deb/ubuntu/spring?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

106.*
106.0+dfsg-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "106.0+dfsg-4"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "106.0+dfsg-4"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "106.0+dfsg-4"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40997.json"